> Worm.Bagle.H found in unzipped file. It\'s impossible
> to create signature of encrypted zip file.
This new infection method is likely to drive us nuts. This is the
password-less workaround I've come up with and your input is appreciated.
The unix unzip output looks like so:
$ uvscan -lv virus.zip
Archive: TextDocument.zip
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
21150 Stored 21150 0% 03-01-04 19:33 7ac0095f hifrm.scr
-------- ------- --- -------
21150 21150 0% 1 file
Fortunately we can get the file crc w/o actually extracting the file.
Can zip file crc's count as sigs? A quick/crude perl hack to test for
this at the MTA seems to work pretty well:
if (!open(UNZIP, "-|"))
{
exec("/usr/bin/unzip", '-lv', $file);
}
while (<UNZIP>)
{
if (/7ac0095f/)
{
close(UNZIP);
print "Found the w32nsc/Bagle.H-zip virus !!!\n";
found_virus();
}
}
close(UNZIP);
Suggestions? There are really easy ways for the virus writer to
circumvent this type of check but until they start utilizing such
strategies, is it possible to include the zip's crc into ClamAV's sigs?
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062
http://www.nsci.us/
Voice: (503) 293-7656
Fax: (503) 885-0770
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
